Cybersecurity researchers are warning of two cybercrime groups that are carrying out “fast, high-impact attacks” mostly within the confines of SaaS environments, while minimizing the footprint of their activities.
The clusters Cordial Spider (also known as BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and Snarky Spider (also known as O-UNC-025 and UNC6661) are believed to originate from high-velocity data theft and extortion campaigns that share a striking degree of operational similarity. Both hacking groups are assessed to have been active since at least October 2025, and the latter is a native English-speaking group that shares ties to the electronic crime ecosystem known as The Com.
“In most cases, these attackers use voice phishing (vishing) to lure targeted users to malicious SSO-themed adversary man-in-the-middle (AiTM) pages, where they capture authentication data and migrate it directly to SSO-integrated SaaS applications,” CrowdStrike’s Counter Adversary Operations said in a report.
“By operating almost exclusively within a trusted SaaS environment, we minimize our footprint while reducing time to impact. The combination of speed, accuracy, and SaaS-only activity creates significant detection and visibility challenges for defenders.”
In a report published in January 2026, Google-owned Mandiant revealed that the two clusters represent an expansion of threat activity employing tactics consistent with extortion-themed attacks carried out by the ShinyHunters group. This involves making calls pretending to be IT staff and tricking victims into redirecting them to a phishing page to obtain credentials and multi-factor authentication (MFA) codes.
Snarky Spider will start stealing within 1 hour
Just last week, Palo Alto Networks Unit 42 and the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) assessed with medium confidence that the attackers behind CL-CRI-1116 were also most likely associated with The Com, and that the intrusion primarily relied on living-off-the-land (LotL) techniques, hiding their geographic location and using basic IP It added that it utilizes residential proxies to bypass base reputation filters.
“CL-CRI-1116 activity has been actively targeting the retail and hospitality sectors since February 2026, specifically using a combination of phishing attacks impersonating IT help desk personnel and phishing login sites to steal credentials,” researchers Lee Clark, Matt Brady and Quong Dinh said.
Attacks launched by the two groups are known to enroll new devices in order to bypass MFA and maintain access to compromised access. But not before deleting the existing device. Threat actors then attempt to suppress automatic email notifications related to unauthorized device registrations by configuring inbox rules that automatically delete such messages.
The next stage will focus on targeting high-privileged accounts through further social engineering by scraping internal employee directories. Once again with elevated access, the attacker can compromise the target SaaS environment, seek out high-value files and business-critical reports in Google Workspace, HubSpot, Microsoft SharePoint, and Salesforce, and then exfiltrate the targeted data to the infrastructure under their control.
“In most observed cases, these credentials grant access to an organization’s identity provider (IdP) and provide a single point of entry to multiple SaaS applications,” CrowdStrike said. “By exploiting the trust relationship between an IdP and connected services, attackers bypass the need to compromise individual SaaS apps and instead move laterally through a victim’s entire SaaS ecosystem in a single authenticated session.”
Source link
